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(57) Abstract: The invention relates to a device (15) for preventing illegal exportation of a content protected by a global copy 
^5 protection system to a local copy protection system. According to the invention, each content liable to be exported contains a unique 
® identifier (CUT) and the device (15) comprises a table (CET) for storing unique identifiers of all contents that have already been 
exported through said device. The invention also relates to a method for recording a content received by such a device. This method 
comprises the steps consisting, if the copy is to be made for a local copy protection system, in checking whether the unique identifier 
(CUI) of said content is contained in the table (CET) of said device; and should said checking be positive, in preventing the recording; 
and should said checking be negative, in recording the content and storing said unique identifier (CUI) in said table. 
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Secure exportation from a global copy protection system to a 
local copy protection system 

Field of the invention 
5 The invention relates generally to the copy protection problem. More 

particularly, the invention relates to a device and a method for preventing illegal 
exportation of a content from a global copy protection system to a local copy 
protection system. 

10 Background art 

Copy Protection has been a hot topic for the last few years. First 
Copy Protection Systems (CPS) that have been studied rely on link encryption 
(see for example the "DTCP" proposal disclosed in "Digital Transmission Copy 
Protection Specification - Vol. 1 (Informational version) - Rev. 1.2 - July 11, 

15 200T available at the following Internet address 
http-J/www.dtcp. com/datafinfojdtcpjrtjl2_2Q01071 1.pdf) or prerecorded / 
recordable media protection (see for example the "CPSA" proposal disclosed in 
"Content Protection System Architecture, A Comprehensive Framework for 
Content Protection - rev 0.81 - February 17, 200CT available at the following 

20 Internet address http://www.4centity.com/data/tech/cpsa/cpsa081.pd These 
systems will be called "local CPS" in the following of the description. 

The focus of Copy Protection has recently moved to a global security 
of the content through the home network and a new category of systems, that 
will be called "global CPS* in the following, has been investigated by 

25 normalization bodies (such as "DVB-CPT or "TV-Anytime" forum) and industry 
efforts (see for example the "SmartRight" proposal disclosed in "SmartRight 
Technical white paper- version 1.0 - October 29, 2001"). 

Local CPS usually have four different usage rules: 

- "copy-free" (one may copy the content without any limitations), 
30 - "copy-never" (one may not copy the content), 

- "copy-once" (one may copy only once the content), 

- "copy-no-more" (one may not copy the content because it is the 
copy of a "copy-once" content or an already copied "copy-once" 
content). 

35 However, because of implementation difficulties, the "copy-once" 

usage rule has often been replaced by "copy-one-generation" usage rule (one 
may copy only the original content), leading to a much wider possible use of the 
content than expected. 
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Global CPS replace the "copy-once" or "copy-one-generation D and 
"copy-no-more" usage rules with the "private-copy" usage rule. The "private- 
copy" usage rule allows to make as many copies as desired but the copy will be 
only usable within the home network wherein it has been created. That usage 
5 rule is easy to Implement and in line with both users and content owners 
interests. 

One problem encountered with these systems is due to the fact that 
global CPS coexist with local CPS. A user may want to export a "private-copy 0 
content from a global CPS to a local CPS. For instance, a user may want to 

10 make a back-up copy from a "private-copy" content created in a global CPS on 
an optical disc (such as a DVD - acronym of "Digital Versatile Disc" - or a BRD 
- acronym of "BIu-Ray Disc") protected by a local CPS. The "private-copy" 
usage rule in the global CPS is logically changed to the "copy-no-more" usage 
rule in local CPS. But this is insufficient since as many "copy-no-more" copies 

15 as desired can be created from the "private-copy" content. This feature is clearly 
in contradiction to the copy-no-more usage rule. 

It is therefore an object of the present invention to provide a method 
ensuring that a content protected by a global CPS and labeled "private-copy" 
cannot be exported (as a "copy-no-more" content 1 ) an unlimited number of 

20 times to a local CPS. 

Summary of the invention 

The main idea of the invention is to associate a Content Unique 
Identifier (CUI) to any content entering a home network protected by a global 
25 CPS. This CUI will be checked when the content will leave the global CPS for a 
local CPS. 

More particularly, the Invention relates to a device for preventing 

illegal exportation of a content protected by a global copy protection system to a 

local copy protection system, characterized in that each content liable to be 
30 exported contains a unique identifier and in that the device comprises an 

exportation table for storing unique identifiers of all contents that have already 

been exported through said device. 

The Invention also relates to a method for recording a content 

received by a device as above-mentioned, characterized in that it comprises the 
35 steps consisting, if the copy is to be made for a local copy protection system, in 

checking whether the unique identifier of said content is contained in the 

exportation table of said device; and 
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- should said checking be positive, in preventing the recording; and 

- should said checking be negative, in recording the content and 
storing the unique identifier in the exportation table. 

The invention further relates to a device adapted to be linked to a 
5 local network protected by a global copy protection system and to convert a 
content it receives into a content protected by the global copy protection 
system, characterized in that the device is furthermore adapted to generate a 
unique identifier for each content it converts, the unique identifier being inserted 
in a part of the content protected by encryption or by authentication 
10 Thanks to the invention, it is possible to control the number of local 

CPS-protected copies created from a global CPS-protected content. 

Brief description of the drawings 

The various features and advantages of the present invention and its 
15 preferred embodiments will now be described with reference to the 
accompanying drawings which are intended to illustrate and not to limit the 
scope of the present invention and in which: 

- Fig. 1 illustrates the environment of the invention and the principle 
of exportation of a content protected by a global CPS to a content protected by 

20 a local CPS; and 

- Fig. 2 is a flowchart illustrating the behavior of a device carrying out 
the exportation process. 

Description of the preferred embodiments 
25 Fig. 1 illustrates the environment of the invention. It may be for 

example a digital home network 1 protected by a global CPS, this network 
comprising two Access Devices 12, 13 and two Recorder Devices 14, 15 linked 
together by a digital bus 16. 

The principles of protection of the data by the global CPS in the 
30 home network are disclosed in documents FR-A-2 792 482 and FR-A-2 824 
212. 

Interactions between local and global CPS are ensured thanks to the 
following devices: 

- the Access Devices that receive local CPS-protected contents from 
35 the outside of the network and convert them into global CPS- 

protected contents; and 
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- the Recorder Devices that create either global CPS-protected copies 
10 or local CPS-protected copies 11. 

We will now describe more particularly the Access Devices behavior 
and the Recorder Devices behavior according to the principles of the invention. 

1. Access Devices behavior 

Each time an Access Device is required to convert a local CPS- 
protected content it receives from the outside of the network into a new global 
CPS-protected content, it generates a Content Unique Identifier associated with 
this new content. It then inserts the CUl in the content, preferably in a part of the 
content protected by encryption or authentication. 

The CUl may be "probably unique" (for example a large size random 
number generated by a pseudo-random generator) or "actually unique". In the 
latter case, Access Devices should be given a unique identifier at their 
installation in the network. This identifier will be the first part of the CUl. The 
second part will be a counter maintained by the Access Device. The CUl is 
preferably at least 80 bits long. 

2. Recorder Devices behavior 

This behavior is illustrated by the flowchart of Fig. 2. 

A Recorder Device is capable of recording a content having a 
"private-copy" status and created in the network protected by the global CPS to 
create a local CPS-protected copy of this content. 

According to the invention, each Recorder Device has a Content 
Exportation Table (CET) storing all the CUIs of local CPS-protected content that 
have already been created. This CET is preferably stored in a protected or 
secure memory of the Recorder Device. It can also be stored in an encrypted or 
authenticated form in a conventional non-secure memory of the Recorder 
Device. In the latter case, only the encryption key or authentication key used to 
encrypt or authenticate the CET need to be stored in a secure memory, for 
example a memory included in a smart card. 

As illustrated in Fig. 2, each time the recorder device is requested to 
create a new copy of a "private-copy" content (step 20), a test is carried out at 
step 21 to check whether the copy remains protected by the global CPS or not. 
If the copy remains global CPS-protected (i.e. the copy is destined to be used in 
the home network 1 protected by the global CPS), then the recorder simply 
duplicates this content (step 22). Otherwise, if the new copy is a local CPS- 
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protected content (i.e. a copy to be used outside the network 1 in another 
system protected by a local CPS) then, the Recorder Device first extracts the 
CUI from the content and checks whether it is already in its CET or not (step 
24). In order to extract the CUI from the content, the Recorder Device contains 

5 the necessary encryption or authentication keys that have been used to insert 
the CUI in a protected part of the content or is able to recover them. If the 
extracted CUI is already in the CET of the Recorder Device, the content is 
blocked and the copy does not takes place (step 26). Else, the Recorder Device 
adds the CUI in the CET and creates the copy. The local CPS should treat the 

1 0 copy as a "copy-no-more" or "copy-never" content. 

It is also possible to allow the Recorder Device to make more than a 
single local CPS-protected copy of a given "private-copy" content. In this case, 
the CET will store with each CUI, a counter of the number of local CPS- 
protected copies made for this content, this counter being incremented each 

15 time a local CPS-protected copy is made for this content. When the maximum 
number of allowed copies is reached for a given content, then the Recorder 
Device will not make any more local CPS-protected copy of this content 

According to a variant embodiment, only a limited number of 
20 Recorder Devices is authorized to make copies protected by a local CPS in a 
home network such as network 1. Preferably, only one Recorder Device per 
network is authorized to make copies protected by a specific local CPS. These 
Recorder Devices are called exportation devices. In Fig. 1, Recorder Device 15 
is an exportation device. The Recorder Devices that can create only global 
25 CPS-protected copies are called storage units. Recorder Device 14 of Fig. 1 is a 
storage unit. In this preferred embodiment, only the exportation devices have a 
CET for storing the CUI of contents already copied with a local CPS protection. 

We suppose now that the global CPS is the SmartRight™ system 
30 ("SmartRight" is a trademark of THOMSON) disclosed in the documents 
previously mentioned (FR-A-2 792 482 and FR-A-2 824 212) and In a further 
document WO-A-03 019899. 

The Access Devices illustrated in Fig. 1 comprise converter cards 
(not illustrated in Fig. 1) which are in charge of creating messages called LECM 
35 (acronym of "Local Entitlement Control Message"). The LECMs contain control 
words CW which are used to scramble the content entering the home network 
through an Access Device. These CW are contained in a part of the LECM 
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which is protected (preferably by encryption with a key or with keys specific to 
the network). 

According to the present invention, the converter card randomly 
chooses the CUI during the LECM building step when a content is received in 
5 the network by an Access Device. The CUI is then placed in the protected part 
of the LECM. 

Recorder Device 15 which is an exportation device comprises a 
terminal card (not illustrated). This terminal card is a smart card, i.e. a card with 
a secure microprocessor, containing the key(s) necessary to decrypt the 
10 protected part of the LECM and It furthermore contains, according to the 
invention, the CET for storing the CUI of the contents already copied by 
Recorder Device 15 with a local CPS protection. 

When Recorder Device 15 receives a new content (having a "private- 
copy" status) to be exported (Le. to be used to perform a local CPS-protected 
15 copy of this content), its terminal card first checks whether the CUI contained in 
the first LECM associated with this content is already in its CET or not. If yes, 
the terminal will output a message forbiding the copy. Else, it will add the CUI in 
the CET and then output a message authorizing the copy. 

Preferably, the CET is not erased after a terminal card reinitialization. 

20 
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CLAIMS 

1. Device (15) for preventing illegal exportation of a content protected 
by a global copy protection system to a local copy protection system, 
5 characterized in that each content liable to be exported contains a unique 
identifier (CUI) and in that the device (15) comprises an exportation table (CET) 
for storing unique identifiers of all contents that have already been exported 
through said device. 

10 2. Device according to claim 1, characterized in that the unique 

identifier (CUI) is contained in a part of the content protected by encryption or 
authentication and in that the device further comprises means for extracting 
said unique identifier from the content. 

15 3. Device according to any one of claims 1 or 2, characterized in that 

the exportation table (CET) is stored in a secure memory of the device. 

4. Device according to any one of claims 1 or 2, characterized in that 
the exportation table (CET) is stored In an encrypted or authenticated form in a 

20 conventional memory of the device and in that the encryption key or 
authentication key used to encrypt or authenticate the CET is stored in a secure 
memory. 

5. Device according to any one of the preceding claims intended to 
25 be used in a local network protected by a global copy protection system, 

characterized in that there are a limited number of such devices in the network. 

6. Device according to claim 5, characterized in that there is only one 
such device in the network. 

30 

7. Device according to one of the preceding claims, characterized in 
that ttie exportation table (CET) stored in said device further contains, for each 
unique identifier (CUI), a counter of the number of exportations of the content 
associated with said unique identifier, this counter being incremented each time 

35 an exportation is made through said device. 
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8. Method for recording a content received by a device according to 
any one of claims 1 to 6, characterized in that it comprises the steps consisting, 
if the copy is to be made for a local copy protection system, in: 

checking whether the unique Identifier (CUI) of said content is 
contained in the exportation table (CET) of said device; and 

- should said checking be positive, then preventing the recording; 
and 

- should said checking be negative, then recording the content and 
storing said unique identifier (CUI) in said exportation table. 

9. Method for recording a content received by a device according to 
claim 7, characterized in that it comprises the steps consisting, if the copy is to 
be made for a local copy protection system, in: 

(a) checking whether the unique identifier (CUI) of said content is 
contained in the exportation table (CET) of said device; and 

- should said checking of step (a) be positive, then 

(b) checking whether a predetermined maximum number of 
authorized copies has been reached by the counter associated with the unique 
identifier (CUI), and 

• in case the maximum number of copies has been reached, 
then preventing the recording; and 

• In case the maximum number of copies has not been 
reached, then incrementing the counter and recording the 
content; and 

- should said checking of step (a) be negative, then recording the 
content and storing said unique identifier (CUI) in said exportation 
table. 

10. Device (12, 13) adapted to be linked to a local network protected 
by a global copy protection system and to convert a content it receives into a 
content protected by said global copy protection system, charactertzed in that 
said device is furthermore adapted to generate a unique identifier (CUI) for each 
content It converts, the unique identifier being inserted In a part of the content 
protected by encryption or by authentication. 
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